I’m working on ACLs, so I thought I would write something about them. I’ve come across a lot of good information like Cisco is easy's ACL posts, but I wanted to suppliment and visualize the options available when writing or determining what ACLs are doing. So, this tid bit covers Extended ACLs and the options available to them.
I wrote up two examples that I hope explore what Extended ACLs can do. It’s important to bare in mind that there are 3 ways to write the address portions of an ACL.
The first is with the “host” option:
access-list 110 permit tcp host 10.0.200.1 any eq 80
The second is via wild card mask:
access-list 110 permit tcp 172.16.26.2 0.0.31.255 any eq 80
The third is the “any” option which can also be written as “0.0.0.0 255.255.255.255” .
access-list 110 permit tcp any any eq 80
or
access-list 110 permit tcp 0.0.0.0 255.255.255.255 any eq 80
The last trick to keep in mind is when applying ACL filtering to all traffic from a subnet or IP range, the source traffic type should be “IP” -
access-list 192 deny IP any 10.1.1.0 0.255.255.255
This ACL denies everything to the 10.1.1.0/8 network. This essentially blocks all IP traffic.
Then we should have a look at the options available for extended ACLs.
A.B.C.D Source wildcard bits
A.B.C.D Destination address
A.B.C.D Destination wildcard bits
dscp Match packets with given dscp value
--
Let’s look at two examples:
The first example denies the workstation with address 192.168.10.1 access to web services on any server in the 10.1.0.0 /16 subnet. In this case, traffic destined for http (port 80) will get filtered no matter what source port it originates from.
access-list 110 deny tcp host 192.168.10.1 10.1.1.0 0.0.255.255 eq 80
The second example is to permit tftp traffic from any host in the 192.160.0.0 /20 network to any server in the 10.1.1.0/24 network. With this ACL I am not only filtering traffic going to port 69, but I’m only allowing that traffic to originate from port 69. Granted this is something you’ll never see, it proves the point of filtering source ports as well as destination.
access-list 198 permit udp 192.168.20.0 0.0.15.255 eq tftp 10.1.1.0 0.0.0.255 eq 69
Let's break the ACL down a bit.
Then we should have a look at the options available for extended ACLs.
Now that we have a good visual representation of the extended ACLs lets see it in action. Here is the simple set up.
I entered the second extended ACL (example #2, ACL #198) to show the source port filtering option. This ACL is placed on interface fast ethernet 0/1, the interface that the 192.168.20.20/20 network is connected to. It is placed to filter inbound traffic.
I tend to think of ACLs as nets on the interface. So, when traffic is coming in it gets caught in the net. Pardon my poor drawing skills.
Extended ACLs are to be placed closest to the source. Which to me, makes sense. I would think you would want the traffic to be filtered before your routers have to do any wasted work routing packets that will just get dropped by the ACL.
I generated some traffic from port 69 on PC 0 with IP 192.168.20.20 and of course the destination was the TFTP server, port 69 with the address 10.1.1.254. You can see a packet from PC0 make its way here:
*Note: the packet was dropped at the TFTP server due to the absence of data in the packet. It was sent from a traffic generated and contained no upper layer data. So, it was dropped at the server.
Next, I sent some random generated traffic out of PC0 to the TFTP server. this came out of port 64353 going to destination port 69. In this case, the destination port and address were in the ACL:
However the source port, 64353 is not in the ACL and so it doesn't match the rule and so it falls to the hidden catch all at the end of every ACL,access-list 198 permit udp 192.168.20.0 0.0.15.255 eq tftp 10.1.1.0 0.0.0.255 eq 69
deny any any
You can see the hidden deny rule take effect and the source and destination ports in the following:
*Note: the receiving port noted is port fa0/1 on the router where the ACL is placed inbound.
Hopefully, this sheds some light on the options and ways to write extended ACLs. To supplement this I've added some explanations of what the options are that are available in the ACLs.
deny Specify packets to reject
permit Specify packets to forward
remark Access list entry comment
ahp Authentication Header Protocol
eigrp Cisco's EIGRP routing protocol
esp Encapsulation Security Payload
gre Cisco's GRE tunneling
icmp Internet Control Message Protocol
ip Any Internet Protocol
ospf OSPF routing protocol
tcp Transmission Control Protocol
udp User Datagram Protocol
A.B.C.D Source address
any Any source host
host A single source host
any Any destination host
eq Match only packets on a given port number
gt Match only packets with a greater port number
host A single destination host
lt Match only packets with a lower port number
neq Match only packets not on a given port number
range Match only packets in the range of port numbers
<0-65535> Port number
ftp File Transfer Protocol (21)
pop3 Post Office Protocol v3 (110)
smtp Simple Mail Transport Protocol (25)
telnet Telnet (23)
www World Wide Web (HTTP, 80)
eq Match only packets on a given port number
established established
gt Match only packets with a greater port number
lt Match only packets with a lower port number
neq Match only packets not on a given port number
precedence Match packets with given precedence value
range Match only packets in the range of port numbers
etc.
Nice Article! Thanks for sharing with us.
ReplyDeleteBasic IP Traffic Management with Access lists